ppolicy.schema

来自「ldap服务器源码」· SCHEMA 代码 · 共 532 行 · 第 1/2 页

#   counter is only reset by a successful authentication.

attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12
      NAME 'pwdFailureCountInterval'
      EQUALITY integerMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
      SINGLE-VALUE )

#5.2.13  pwdMustChange
#
#   This attribute specifies with a value of "TRUE" that users must
#   change their passwords when they first bind to the directory after a
#   password is set or reset by a password administrator.  If this
#   attribute is not present, or if the value is "FALSE", users are not
#   required to change their password upon binding after the password
#   administrator sets or resets the password.  This attribute is not set
#   due to any actions specified by this document, it is typically set by
#   a password administrator after resetting a user's password.

attributetype ( 1.3.6.1.4.1.42.2.27.8.1.13
      NAME 'pwdMustChange'
      EQUALITY booleanMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
      SINGLE-VALUE )

#5.2.14  pwdAllowUserChange
#
#   This attribute indicates whether users can change their own
#   passwords, although the change operation is still subject to access
#   control.  If this attribute is not present, a value of "TRUE" is
#   assumed.  This attribute is intended to be used in the absense of an
#   access control mechanism.

attributetype ( 1.3.6.1.4.1.42.2.27.8.1.14
      NAME 'pwdAllowUserChange'
      EQUALITY booleanMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
      SINGLE-VALUE )

#5.2.15  pwdSafeModify
#
#   This attribute specifies whether or not the existing password must be
#   sent along with the new password when being changed.  If this
#   attribute is not present, a "FALSE" value is assumed.

attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15
      NAME 'pwdSafeModify'
      EQUALITY booleanMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
      SINGLE-VALUE )

# HP extensions
#
# pwdCheckModule
#
#    This attribute names a user-defined loadable module that provides
#    a check_password() function. If pwdCheckQuality is set to '1' or '2'
#    this function will be called after all of the internal password
#    quality checks have been passed. The function has this prototype:
#
#    int check_password( char *password, char **errormessage, void *arg )
#
#    The function should return LDAP_SUCCESS for a valid password.

attributetype ( 1.3.6.1.4.1.4754.1.99.1
     NAME 'pwdCheckModule'
     EQUALITY caseExactIA5Match
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
     DESC 'Loadable module that instantiates "check_password() function'
     SINGLE-VALUE )

objectclass ( 1.3.6.1.4.1.4754.2.99.1
      NAME 'pwdPolicyChecker'
      SUP top
      AUXILIARY
      MAY ( pwdCheckModule ) )

#5.1  The pwdPolicy Object Class
#
#   This object class contains the attributes defining a password policy
#   in effect for a set of users.  Section 10 describes the
#   administration of this object, and the relationship between it and
#   particular objects.
#
objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1
      NAME 'pwdPolicy'
      SUP top
      AUXILIARY
      MUST ( pwdAttribute )
      MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $
      pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout
      $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
      pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) )

#5.3  Attribute Types for Password Policy State Information
#
#   Password policy state information must be maintained for each user.
#   The information is located in each user entry as a set of operational
#   attributes.  These operational attributes are: pwdChangedTime,
#   pwdAccountLockedTime, pwdFailureTime, pwdHistory, pwdGraceUseTime,
#   pwdReset, pwdPolicySubEntry.
#
#5.3.1  Password Policy State Attribute Option
#
#   Since the password policy could apply to several attributes used to
#   store passwords, each of the above operational attributes must have
#   an option to specify which pwdAttribute it applies to.  The password
#   policy option is defined as the following:
#
#   pwd-<passwordAttribute>
#
#   where passwordAttribute a string following the OID syntax
#   (1.3.6.1.4.1.1466.115.121.1.38).  The attribute type descriptor
#   (short name) MUST be used.
#
#   For example, if the pwdPolicy object has for pwdAttribute
#   "userPassword" then the pwdChangedTime operational attribute, in a
#   user entry, will be:
#
#   pwdChangedTime;pwd-userPassword: 20000103121520Z
#
#   This attribute option follows sub-typing semantics.  If a client
#   requests a password policy state attribute to be returned in a search
#   operation, and does not specify an option, all subtypes of that
#   policy state attribute are returned.
#
#5.3.2  pwdChangedTime
#
#   This attribute specifies the last time the entry's password was
#   changed.  This is used by the password expiration policy.  If this
#   attribute does not exist, the password will never expire.
#
#      ( 1.3.6.1.4.1.42.2.27.8.1.16
#      NAME 'pwdChangedTime'
#      DESC 'The time the password was last changed'
#      EQUALITY generalizedTimeMatch
#      ORDERING generalizedTimeOrderingMatch
#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
#      SINGLE-VALUE
#      USAGE directoryOperation )
#
#5.3.3  pwdAccountLockedTime
#
#   This attribute holds the time that the user's account was locked.  A
#   locked account means that the password may no longer be used to
#   authenticate.  A 000001010000Z value means that the account has been
#   locked permanently, and that only a password administrator can unlock
#   the account.
#
#      ( 1.3.6.1.4.1.42.2.27.8.1.17
#      NAME 'pwdAccountLockedTime'
#      DESC 'The time an user account was locked'
#      EQUALITY generalizedTimeMatch
#      ORDERING generalizedTimeOrderingMatch
#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
#      SINGLE-VALUE
#      USAGE directoryOperation )
#
#5.3.4  pwdFailureTime
#
#   This attribute holds the timestamps of the consecutive authentication
#   failures.
#
#      ( 1.3.6.1.4.1.42.2.27.8.1.19
#      NAME 'pwdFailureTime'
#      DESC 'The timestamps of the last consecutive authentication
#      failures'
#      EQUALITY generalizedTimeMatch
#      ORDERING generalizedTimeOrderingMatch
#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
#      USAGE directoryOperation )
#
#5.3.5  pwdHistory
#
#   This attribute holds a history of previously used passwords.  Values
#   of this attribute are transmitted in string format as given by the
#   following ABNF:
#
#   pwdHistory = time "#" syntaxOID "#" length "#" data
#
#   time       = <generalizedTimeString as specified in 6.14
#                 of [RFC2252]>
#
#   syntaxOID  = numericoid    ; the string representation of the
#                              ; dotted-decimal OID that defines the
#                              ; syntax used to store the password.
#                              ; numericoid is described in 4.1
#                              ; of [RFC2252].
#
#   length     = numericstring ; the number of octets in data.
#                              ; numericstring is described in 4.1
#                              ; of [RFC2252].
#
#   data       = <octets representing the password in the format
#                 specified by syntaxOID>.
#
#   This format allows the server to store, and transmit a history of
#   passwords that have been used.  In order for equality matching to
#   function properly, the time field needs to adhere to a consistent
#   format.  For this purpose, the time field MUST be in GMT format.
#
#      ( 1.3.6.1.4.1.42.2.27.8.1.20
#      NAME 'pwdHistory'
#      DESC 'The history of user s passwords'
#      EQUALITY octetStringMatch
#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
#      USAGE directoryOperation )
#
#5.3.6  pwdGraceUseTime
#
#   This attribute holds the timestamps of grace authentications after a
#   password has expired.
#
#      ( 1.3.6.1.4.1.42.2.27.8.1.21
#      NAME 'pwdGraceUseTime'
#      DESC 'The timestamps of the grace authentication after the
#      password has expired'
#      EQUALITY generalizedTimeMatch
#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
#
#5.3.7  pwdReset
#
#   This attribute holds a flag to indicate (when TRUE) that the password
#   has been updated by the password administrator and must be changed by
#   the user on first authentication.
#
#      ( 1.3.6.1.4.1.42.2.27.8.1.22
#      NAME 'pwdReset'
#      DESC 'The indication that the password has been reset'
#      EQUALITY booleanMatch
#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
#      SINGLE-VALUE
#      USAGE directoryOperation )
#
#5.3.8  pwdPolicySubentry
#
#   This attribute points to the pwdPolicy subentry in effect for this
#   object.
#
#      ( 1.3.6.1.4.1.42.2.27.8.1.23
#      NAME 'pwdPolicySubentry'
#      DESC 'The pwdPolicy subentry in effect for this object'
#      EQUALITY distinguishedNameMatch
#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
#      SINGLE-VALUE
#      USAGE directoryOperation )
#
#
#Disclaimer of Validity
#
#   This document and the information contained herein are provided on an
#   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
#   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
#   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
#   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
#   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
#   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
#
#
#Copyright Statement
#
#   Copyright (C) The Internet Society (2004).  This document is subject
#   to the rights, licenses and restrictions contained in BCP 78, and
#   except as set forth therein, the authors retain all their rights.